A massive cyberattack swept across systems worldwide this week, spanning Europe, the Middle East, and the United States and affecting a variety of companies, from banking institutions to airlines to hospitals. The breach comes just weeks after the WannaCry attack that hit at least 150 countries. Keep up with the latest news from the attack here as we uncover details about the outbreak.
Jul 5, 2017
The group responsible for last week’s globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates.Read Article >
Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya. More specifically, it proves that whoever left the message has the necessary private key to decrypt individual files infected by the virus. Because the virus deleted certain boot-level files, it’s impossible to entirely recover infected systems, but individual files can still be recovered. The message also included a link to a chat room where the malware authors discussed the offer, although the room has since been deactivated.
Jul 3, 2017
Last week’s globe-spanning ransomware outbreak may have started with a remarkably simple attack. This morning, independent security analyst Jonathan Nichols discovered an alarming vulnerability in the update servers for Ukrainian software company MeDoc, one of the companies at the center of the attack.Read Article >
Researchers believe that many of the initial Petya infections were the result of a poisoned update from MeDoc, which sent out malware disguised as a software update. But according to Nichols’ research, sending out that poisoned update may have been a relatively simple task, thanks to underlying weaknesses in the company’s security.
Jul 2, 2017
In the wake of last week’s massive Petya ransomware attack in Eastern Europe, researchers are reaching consensus that the incident was a politically-motivated cyberattack. According to CNBC, the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) recently put out a statement claiming that the attack was like done by a state actor or a group with state approval. The development means that the cyberattack could be viewed as an act of war, triggering Article 5 of the Washington Treaty and compelling NATO allies to respond.Read Article >
"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty,” wrote Tomáš Minárik, a researcher at the CCD COE law branch, in the release. “Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”
Jun 28, 2017
The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.Read Article >
The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.
Jun 28, 2017
The global Petya virus has “significantly affected” the worldwide operations of TNT Express, a subsidiary of FedEx that’s based in the Netherlands. Both the domestic and international shipping services remain operational, but they are experiencing delays, the companies say. FedEx halted trading of its shares shortly after the announcement, but all other FedEx-owned companies are so far unaffected.Read Article >
“We cannot measure the financial impact of this service disruption at this time, but it could be material,” FedEx writes in a statement about the service disruption. The company adds that “remediation steps and contingency plans are being implemented as quickly as possible,” including using FedEx’s own Express service to help with the backlog. TNT Express was acquired by FedEx in 2016. It ships 1 million packages a day to 200 countries.
Jun 28, 2017
The virus that began spreading through European computers yesterday informed users that they could unlock their machines by paying a $300 ransom. But it looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.Read Article >
Matt Suiche, founder of the cybersecurity firm Comae, writes in a blog post today that after analyzing the virus, known as Petya, his team determined that it was a “wiper,” not ransomware. “We can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware,” Suiche writes.
When the Wannacry ransomware tore through the UK and Europe in May, there was a certain logic to the heightened scale of damage. Ransomware attacks were nothing new, but this one had a secret weapon, a sophisticated software exploit known as EternalBlue, published by the Shadow Brokers in April and believed to have been developed by the NSA. It was nation-state level weaponry turned against soft, civilian targets, like robbing a small-town bank with an Abrams tank. If you were looking for answers on how it spread so far so fast, you didn’t have to look far.Read Article >
Now, just over a month later, a new strain of ransomware has inflicted similar damage with almost none of that firepower. A variant of the Petya family of ransomware, the virus has infected thousands of systems across the world, including massive multi-national corporations like Maersk, Rosneft and Merck, but it’s done so with far less raw material. Petya is still using EternalBlue, but by now many of the target organizations are protected, and that exploit is far less crucial to the ransomware’s spread. Instead, Petya exploits more fundamental vulnerabilities in the way we run networks and, more crucially, deliver patches. They’re not as eye-catching as an NSA exploit, but they’re more powerful, and could leave organizations in a much more difficult position as they try to recover from today’s attacks.
After thousands of infections, the new Petya ransomware has run into its first major problem, as a German email provider has blocked the email account the virus was using to manage ransom demands. Victims should be advised not to pay into the wallet, since it’s unlikely the attackers can successfully decrypt systems at this point.Read Article >
The problem is caused in part by Petya’s unorthodox method for collecting ransom payments. Most ransomware programs create a unique wallet for each infection, making it easy to know which victim is responsible for each payment. But Petya broke with that practice, asking every victim to send their $300 payment to the same single Bitcoin wallet, then send an email to firstname.lastname@example.org with a unique identifier to confirm payment and receive the decryption keys.
A major ransomware attack has brought businesses to a close throughout Europe, in an infection reminiscent of last month’s WannaCry attack. The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.Read Article >
The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack. Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs.